I want to disable SSH login

Hello, I have an issue with a live vyos. It has enabled SSH logins, and I can’t find the private key to login.
I have a copy of the ./ssh file from the vyos as a backup, can i login using this info from a new PC?
Or failing that, the vyos has an error that when rebooted it defaults to the vyos / vyos login, until the config is loaded.

Could i find the command to reset to vyos/vyos login once the config is loaded and then commit? so that I can get in as plaintext after the loaded config.

SSH is disabled by default for the LiveCD systems

Sorry my mistake, when I mean live system, I mean it is in production and being used by Virtual Machines

There is a password recovery option during boot (GRUB MENU)

Does that work if the system is configured for SSH logins only?

What du you mean about “SSH logins only” ? are you referring to only key-based login? eg. only password-less logins? if that is the case you then need to get into the VGA/Serial console , if you do not have the password for the device you need to do a password recovery(requires a reboot), then you need to copy a new ssh key to the device to be able to login via ssh again.

Yes the vyos is configured for key-based logins only, it is a virtual machine, with a console that does not allow entering clipboard data - so how do i upload a new SSH key?, I was thinking i could reset it to use plaintext passwords instead of keybased entries, is this possible using the password reset feature?

Use a modern ash Key Algorithmus ecde256 (or near called so). They are short and you can type in the ash public key.

Or you can create a Linux VM. Deatrach de vmdk HDD from the vyos VM. Attach it to the new VM…make.cha GE’s in filesystem or the /config mount add the new ash key and reattach the disk to the vyos VM

Third option boot the vyos VM from an iso image like systemrescuecd.

Best regards
Alexander

is the VM in the cloud? a cloud-init script/metadata could inject it for you on boot.

If you do have the password for a user and are able to login to the device using your vm’s console, please login to the device, go into configure and disable key-only authentication by issuing delete service ssh disable-password-authentication. when you then commit you will be able to login to the device using the users password. you could then ssh into the device and install a new keys for your users. and then enable key-only authentication again by entering set service ssh disable-password-authentication

If you are not able to login to the device on your vm’s console using a password, you will need to reboot the device and choose “Password reset” in the vyos grub boot menu and then set a new password on your user before doing the above.

1 Like